On Tue, Jun 01, 2010 at 02:47:07AM +0200, Jan Schejbal wrote: > PuTTY, a SSH client for Windows, requests the passphrase to the ssh > key in the console window used for the connection. This could allow > a malicious server to gain access to a user's passphrase by spoofing > that prompt.
> Developer notification: > The possibility of such spoofing attacks is known: > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gui-auth.html > Other software affected: > Probably many console-based SSH tools have similar issues. This was also discussed in the context of OpenSSH; I am familiar with http://thread.gmane.org/gmane.network.openssh.devel/16488/focus=16497, but that was probably not the first time either. Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
